rekor Inclusion proof verification fails: wrong proof size

Description

We're once again seeing errors: https://github.com/slsa-framework/example-package/actions/runs/3057744627/jobs/4933233549#step:3:74

validating log entry: verifying inclusion proof: wrong proof size 16, want 17

Version

This run was in the last 12 hours, so I believe 0.12 or 0.11 was deployed? Would be good to get confirmation.

Will check a little if I can reproduce sometime later.

cc @laurentsimon @ianlewis

Sep 15 '22 15:09 asraa

We've seen a different verification failure at Chainguard a few times over the past week or two:

verifying inclusion proof: calculated root:
[119 6 99 127 2 28 252 162 65 159 51 229 121 172 227 71 23 198 147 59 68 41 156 37 253 82 90 121 25 9 94 245]
 does not match expected root:
[209 92 229 175 211 154 106 221 90 249 191 242 25 31 173 181 104 66 147 133 251 215 219 244 203 6 150 181 93 92 252 133]

(It's in the context of Gitsign verification.) Not sure if that's related.

Sep 19 '22 15:09 znewman01

It likely is! They go hand in hand: https://github.com/sigstore/rekor/pull/956

There's probably another place this is happening.

Sep 19 '22 15:09 asraa

It looks like the cause is that production is running 0.10.0 and not 0.11.0 which contains the fix. I'm updating prod now, though we can't rollout the latest 0.12.0 yet since we haven't verified it in staging.

Sep 20 '22 20:09 haydentherapper

@asraa, can you verify this is now working and mark as closed once you do?

Sep 22 '22 15:09 haydentherapper

We may have seen this happen again recently, but I'm trying to pinpoint if it's occuring after the rollout https://github.com/slsa-framework/slsa-verifier/issues/285

Oct 03 '22 15:10 asraa

@asraa can we close this out?

Oct 22 '22 15:10 bobcallaway

@bobcallaway @asraa We haven't seen it on slsa-github-generator e2e tests for a while so I think it's ok to close out.

Oct 23 '22 12:10 ianlewis